Introduction

GoodNotes Limited (the “Company”, “we”, “our” or “us”) is committed to protecting and respecting your privacy. We are a company with our registered office at Suite 1, 3rd Floor, 11-12 St. James's Square, United Kingdom, London SW1Y 4LB. This policy sets out the basis on which any data and information the Company (and other companies in the GoodNotes group) collects from you will be processed by the Company during your use of www.goodnotes.com (the “site”), GoodNotes 4 and GoodNotes 5 (together, the ”app”) and/or any functions or features GoodNotes offer (including, for example, the GoodNotes Learn and the GoodNotes Cloud). The app, the site and any additional services provided by GoodNotes to you are referred to together in this privacy policy as the "Services".

What kind of data is being collected?

We may collect and process “Personal Data” (which is defined as any data relating to a living individual who can be identified from that data and other information which is in our possession of, or is likely to come into our possession (or the possession of our representatives or service providers)) about you when you visit the site, install, download, access, register for or use the app, use our Services, or contact us in relation to the Services. The nature of the Personal Data that we may collect, and process will be determined by how you are using our Services. For example, where you are accessing, registering or using the app, we will collect less Personal Data than when you sign up and create an account to use our Services. We will only use your personal data as set out below and always in accordance with data protection legislation. While we are not based in the European Economic Area ("EEA") we also comply with the European Union's General Data Protection Regulation 2016/679 (the “EU GDPR”) together with the version of the EU GDPR which is incorporated into the domestic law of the United Kingdom (the “UK GDPR”) (the EU GDPR and the UK GDPR are collectively referred to as the "GDPR").

We do not collect special category Personal Data (as defined in the GDPR), which means Personal Data revealing racial or ethnic origin, political opinions, religious beliefs, philosophical beliefs, trade union membership, genetic and biometric data, or data concerning health, sex life or sexual orientation.

a) Information we collect automatically: Such information may include (by way of a non-exhaustive list):

  • basic Personal Data about you (such as first name; family name; email address; country);
  • for certain support requests and issues, we may ask you to export and send us diagnostic data of your app. This data includes information necessary to diagnose and resolve issues you might experience with our Services including the titles of your documents, folders, and imported files; and
  • any information that you choose to share through the Services which may be considered Personal Data, including any information you upload containing details about you.

b) Information that we collect or generate about you: This includes (by way of non-exhaustive list):

  • any information regarding the Services accessed and/or used by you and our interactions with you;
  • a file with your contact history to be used for enquiry purposes so that we may ensure that you are satisfied with the Services which we have provided to you;
  • usage data when you visit or otherwise use the Services;
  • marketing and communications data collected regarding marketing, promotions and communicating new features; and
  • activity data relating to your usage of the Services, including publication of content and the use of documents available through the Services.

c) Information we obtain from other sources. This includes the Personal Data provided to us by third-parties, service providers, agencies or other publicly available sources where applicable. This includes (by way of non-exhaustive list):

  • social media features which may collect your IP address, which page you are visiting on our site, and may set a Cookie to enable the feature to function properly. Features may also allow third party social media services to provide us with information about you, including your name, email address, and other contact information. The information we receive is dependent upon your privacy settings with the third-party social media service. Features are either hosted by a third party or hosted directly on our site. Your interactions with these features are governed by the privacy statements of the third-party companies providing them. You should always review and, if necessary, adjust your privacy settings on third party websites and services before linking or connecting them to our Services.

What is this data being used for?

Your Personal Data may be stored and processed by us in the following ways and for the following purposes:

  • to allow you to use and access the features and functionality provided by the Services;
  • to set you up to use the Services;
  • to understand feedback on the Services and to help provide more information on the use of those services quickly and easily;
  • to communicate with you in order to provide you with the Services or information about us and the Services;
  • to allow us to tailor the information you see about materials and information that are most relevant to you;
  • for ongoing review and improvement of the information provided on the Services to ensure that it is user friendly and to prevent any potential disruptions or cyber-attacks;
  • to understand your needs and interests;
  • for the management and administration of our business or in relation to the sale of our business;
  • in order to comply with and in order to assess compliance with applicable laws, rules and regulations, and internal policies and procedures; or
  • for the administration and maintenance of our databases storing Personal Data.

However we use your Personal Data, we make sure that our usage complies with applicable data protection laws. The law allows or requires us to use your Personal Data for a variety of reasons. These include instances where:

Who is my data disclosed to?

We may disclose your personal data to other companies within our group for the purposes set out in "What is this data being used for?" above, as well as to law enforcement and regulatory agencies as may be required by law.

We may also disclose and transfer your personal data (whether in Hong Kong or abroad) to our agents, contractors or vendors ("Service Providers"). Where we do this, we will ensure that they are under a duty of confidentiality to us and we have imposed contractual obligations to ensure they can only use your personal data to provide agreed services to us and to you. Such Service Providers may provide administrative, data processing or other similar services to us to enable us to better provide the Services. We may also provide your personal data to actual or proposed assignees or transferees of our rights with respect to you in connection with a merger, sale or transfer (whether of assets or shares). In particular, certain of the specific third parties that we disclose data to include:

  • In order to log aggregated statistical, non personal data, we use another service by Google called Google Analytics for Firebase.
  • We use Zendesk by Zendesk Inc. for handling customer support emails.
  • We use Mailchimp for sending newsletters and tips and tricks to subscribers that subscribe voluntarily.
  • To collect feedback and ideas in our idea forum, we use the service provided by UserVoice. In order to submit feedback to the forum, an account with UserVoice will need to be created.
  • We use Amazon Web Services to power the infrastructure for GoodNotes Cloud.
  • We provide optional functionalities which allow you to sync your files on the app to your iCloud account.
  • We also use Compose, Inc. to power the infrastructure for GoodNotes Cloud.
  • We use Mixpanel to collect information about the use of GoodNotes Learn to maintain and improve our feature.
  • We use Amplitude collect information of usage of our app to maintain and improve our app and our products and services.

How long is the data being retained?

How long we will hold your Personal Data for will vary and will be determined by the following criteria:

  • the purpose for which we are using it – we will need to keep your Personal Data for as long as is necessary for that purpose; and
  • legal obligations – laws or regulation may set a minimum period that we have to keep your Personal Data.

International transfers of personal data

We are a global business. Our customers and our operations are spread around the world. As a result, we collect and transfer Personal Data on a global basis. That means that we may transfer your Personal Data to locations outside of your country.

Where we transfer your Personal Data to another country outside the UK and / or EEA, we will ensure that it is protected and transferred in a manner consistent with legal requirements. In relation to data being transferred outside the UK and / or EEA, for example, this may be done in one of the following ways:

  • the country that we send the data to might be approved by relevant data protection authorities as offering an adequate level of protection for Personal Data;
  • the recipient might have signed up to a contract based on “model contractual clauses” approved by relevant data protection authorities, obliging them to protect your Personal Data;
  • the recipient may have adhered to binding corporate rules; or
  • in other circumstances the law may permit us to otherwise transfer your Personal Data outside Europe.

You can obtain more details of the protection given to your Personal Data when it is transferred outside the UK and / or EEA (including a copy of the standard data protection clauses which we have entered into with recipients of your Personal Data) by contacting us as referred to in the “More Questions” section below.

Keeping your data secure

We will use technical and organisational measures to safeguard your personal data, for example:

In addition, we have appropriate security measures in place to prevent personal data from being accidentally or unlawfully lost, used or accessed. We limit access to your personal data to those who have a genuine business need to access it. Those processing your personal data will do so only in an authorized manner and are subject to a duty of confidentiality. We also have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so or if there is a risk to your rights and freedoms.

Information about other individuals

If you give us information on behalf of someone else, you confirm that the other person has appointed you to act on his/her behalf and has agreed that you can:

  • give consent on his/her behalf to the processing and transfer of his/her personal data; and
  • receive on his/her behalf any notices relating to data protection.

Your rights Under the GDPR

Under certain circumstances, you may have rights under data protection laws in relation to your Personal Data which you can exercise free of charge. These rights include:

  • The right to know whether we hold your personal data and to request access to your personal data held by us.
  • The right to withdraw your consent to the processing of your Personal Data at any time. Please note, however, that we may still be entitled to process your Personal Data if we have another legitimate reason for doing so. For example, we may need to retain Personal Data to comply with a legal obligation.
  • The right to request that we rectify your Personal Data if it is inaccurate or incomplete.
  • The right to request that we erase your Personal Data in certain circumstances. Please note that there may be circumstances where you ask us to erase your Personal Data, but we are legally entitled to retain it.
  • In some circumstances, the right to receive the personal data you provided to us in a structured, commonly used and machine-readable format and/or to instruct us to transmit that data to a third party.
  • The right to object at any time to your personal data being processed for direct marketing and in other certain circumstances, such as if we change our legitimate interests from the basis on which we initially collected and processed your personal data.
  • The right to lodge a complaint with the relevant data protection regulator if you think that any of your rights have been infringed by us.

If you wish to exercise any of the above rights, or make any related complaint or request in relation to your Personal Data, please contact us by using the contact details in the “More Questions” section below.

Further information about your rights may be obtained by contacting the supervisory data protection authority located in your jurisdiction.

Your Rights Under the CCPA

You have the right under the California Consumer Privacy Act of 2018 (CCPA), to exercise free of charge:

Cookies

To the extent that we collect Personal Data with the help of Cookies (which are small text files that include a small quantity of information sent to the browser of users, by a web server, and stored on the hard disk drive of a computer for purposes of archiving, collecting navigation data for statistical analysis purposes, and offering services related to your interests or location), we will process it in accordance with this Privacy Policy.

Types of Cookies and purposes

  • Cookies used by us are used to record information necessary for the proper functioning of the GoodNotes Learn and the Services offered to you, audience measurement, use monitoring and security.
  • Cookies are placed by us and, if applicable, our business partners, third party agents and contractors (without us being held responsible for the placement of Cookies by our partners, third party agents and contractors).
  • Each time a user is identified on the Services, a Cookie is placed allowing us to identify the computer or hardware used and the user navigating the Services. This Cookie allows the Services to be provided seamlessly and therefore without re-identification. This Cookie is invalidated when the browser is closed or after a period of inactivity.

Cookies on the GoodNotes Learn and Services are generally divided into the following categories:

  • (A) Strictly necessary Cookies. These are Cookies that are required for the operation of the GoodNotes Learn or provide necessary functions relating to the Services you request or receive. They include, for example, Cookies that enable you to log into secure areas of the GoodNotes Learn.
  • (B) Analytical or performance Cookies. These allow us to recognise and count the number of users and to see how users move around the GoodNotes Learn and Services when they are using it. This helps us to improve the way the Services work, for example, by ensuring that users are finding what they are looking for easily. These Cookies also allow us to collect statistical information about how you use the Services (including how long you spend on the Services) and where you have come to the Services from, so that we can improve the Services and learn which parts and functions of the Services are most popular with our Users.
Cookie
Google Analytics Including but not limited to:
• _gat
• _gid
• _ga
Purpose
How we use Google Analytics:
Google Analytics is a web analytics service provided by Google LLC (“Google”). Google Analytics uses Cookies to help analyse how users use our websites. The information generated by Google’s Cookies will be transferred outside of the EU, including by being transmitted to and stored on servers in the United States. This information will be used for the purpose of evaluating use of the websites, compiling reports on website activity and providing other services relating to website activity and internet usage. Google may transfer this information to third parties under the terms of Google’s privacy policy or other applicable policy, which may include transfer where consent is obtained, or because Google is required to do so by law or where it has a good faith belief that access, use, preservation or disclosure of the information is reasonably necessary to protect the rights, property or safety of Google, its users or the public, or in limited circumstances where such third parties carry out tasks on Google’s behalf (e.g. billing or data storage).

Google Analytics Policies:
To find more about these third-party Cookies you can access Google’s privacy policy on its website and the information about Cookies available there. You can also find additional information on Google Analytics Cookie usage and on how Google uses information from sites or apps that use its services at:
https://developers.google.com/analytics/devguides/collection/analyticsjs/Cookie-usage?hl=en-GB
https://policies.google.com/technologies/partner-sites?hl=en-GB&gl=uk

Disabling Google Analytics:
Moreover, you can prevent that Google gathers and processes data (Cookies and IP address) by downloading and installing a Browser-Plug-In available here:
https://tools.google.com/dlpage/gaoptout?hl=en-GB
Duration of Cookie
From a few seconds (_gat) to 2 years (_gid)

  • (C) Functionality Cookies. These Cookies enable helpful but non-essential functions that improve your experience on the Services. By recognising you when you return to the Services, they may, for example, allow us to personalise our content for you, greet you by name, or remember your preferences (for example, your choice of language or region). This also enables us to customise elements of the layout and/or content of the pages of the Services.
Cookie
_UserID_
Purpose
The UserID is linked to the user profile so that we load the correct profile when you access our Services.
Duration of Cookie
1 year
Cookie
_user token_
Purpose
The user token is used for authenticating the user so that we know the user is who they say they are when accessing the Services.
Duration of Cookie
1 year

More questions

We commit to resolving complaints about our collection or use of your Personal Data. Individuals with inquiries or complaints should first contact Ms Sherry Tai via support@goodnotes.com.

You also have a right to lodge a complaint with a competent supervisory authority situated in a member state of your habitual residence, place of work, or place of alleged infringement. You can find the relevant supervisory authority name and contact details here for individuals located in the United Kingdom.

Response Timing and Format

We endeavor to respond to a verifiable consumer request within 45 days of its receipt. If we require more time (up to 90 days), we will inform you of the reason and extension period in writing.  If you have an account with us, we will deliver our written response to the registered email associated with the account. If you do not have an account with us, we will deliver our written response by mail or electronically, at your option. Any disclosures we provide will only cover the 12-month period preceding the verifiable consumer request’s receipt.  The response we provide will also explain the reasons we cannot comply with a request, if applicable. For data portability requests, we will select a format to provide your personal information that is readily useable and should allow you to transmit the information from one entity to another entity without hindrance.

We do not charge a fee to process or respond to your verifiable consumer request unless it is excessive, repetitive, or manifestly unfounded.  If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request.

Changes to this policy

The Company reserves the right to make changes to this privacy policy at any time giving notice to its users on the site, the app, or as notified by us to you (by email for example), where possible. We recommend to check this page, to stay up to date to the latest changes.